{% set subnets = ([strongswan_network] if ipsec_enabled else []) + ([wireguard_network_ipv4] if wireguard_enabled else []) %}
{% set ports = (['500', '4500'] if ipsec_enabled else []) + ([wireguard_port] if wireguard_enabled else []) + ([wireguard_port_actual] if wireguard_enabled and wireguard_port|int == wireguard_port_avoid|int else []) %}

#### The mangle table
# This table allows us to modify packet headers
# Packets enter this table first
#
*mangle

:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

{% if reduce_mtu|int > 0 and ipsec_enabled %}
-A FORWARD -s {{ strongswan_network }} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss {{ 1360 - reduce_mtu|int }}
{% endif %}

COMMIT


#### The nat table
# This table enables Network Address Translation
# (This is technically a type of packet mangling)
#
*nat

:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

{% if wireguard_enabled and wireguard_port|int == wireguard_port_avoid|int %}
# Handle the special case of allowing access to WireGuard over an already used
# port like 53
-A PREROUTING -s {{ subnets|join(',') }} -p udp --dport {{ wireguard_port_avoid }} -j RETURN
-A PREROUTING --in-interface {{ ansible_default_ipv4['interface'] }} -p udp --dport {{ wireguard_port_avoid }} -j REDIRECT --to-port {{ wireguard_port_actual }}
{% endif %}
# Allow traffic from the VPN network to the outside world, and replies
-A POSTROUTING -s {{ subnets|join(',') }} -m policy --pol none --dir out {{ '-j SNAT --to ' + snat_aipv4 if snat_aipv4 else '-j MASQUERADE' }}


COMMIT


#### The filter table
# The default ipfilter table
#
*filter

# By default, drop packets that are destined for this server
:INPUT DROP [0:0]
# By default, drop packets that request to be forwarded by this server
:FORWARD DROP [0:0]
# By default, accept any packets originating from this server
:OUTPUT ACCEPT [0:0]

# Accept packets destined for localhost
-A INPUT -i lo -j ACCEPT
# Accept any packet from an open TCP connection
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Accept packets using the encapsulation protocol
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
# rate limit ICMP traffic per source
-A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT
# Accept IPSEC/WireGuard traffic to ports {{ subnets|join(',') }}
-A INPUT -p udp -m multiport --dports {{ ports|join(',') }} -j ACCEPT
# Allow new traffic to port {{ ansible_ssh_port }} (SSH)
-A INPUT -p tcp --dport {{ ansible_ssh_port }} -m conntrack --ctstate NEW -j ACCEPT

{% if ipsec_enabled %}
# Allow any traffic from the IPsec VPN
-A INPUT -p ipencap -m policy --dir in --pol ipsec --proto esp -j ACCEPT
{% endif %}

# TODO:
# The IP of the resolver should be bound to a DUMMY interface.
# DUMMY interfaces are the proper way to install IPs without assigning them any
# particular virtual (tun,tap,...) or physical (ethernet) interface.

# Accept DNS traffic to the local DNS resolver
-A INPUT -d {{ local_service_ip }} -p udp --dport 53 -j ACCEPT

# Drop traffic between VPN clients
-A FORWARD -s {{ subnets|join(',') }} -d {{ subnets|join(',') }} -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
# Drop traffic to VPN clients from SSH tunnels
-A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}

# Drop traffic to the link-local network
-A FORWARD -s {{ subnets|join(',') }} -d 169.254.0.0/16 -j DROP
# Drop traffic to the link-local network from SSH tunnels
-A OUTPUT -d 169.254.0.0/16 -m owner --gid-owner 15000 -j DROP

# Forward any packet that's part of an established connection
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Drop SMB/CIFS traffic that requests to be forwarded
-A FORWARD -p tcp --dport 445 -j {{ "DROP" if block_smb else "ACCEPT" }}
# Drop NETBIOS trafic that requests to be forwarded
-A FORWARD -p udp -m multiport --ports 137,138 -j {{ "DROP" if block_netbios else "ACCEPT" }}
-A FORWARD -p tcp -m multiport --ports 137,139 -j {{ "DROP" if block_netbios else "ACCEPT" }}

{% if ipsec_enabled %}
# Forward any IPSEC traffic from the VPN network
-A FORWARD -m conntrack --ctstate NEW -s {{ strongswan_network }} -m policy --pol ipsec --dir in -j ACCEPT
{% endif %}

{% if wireguard_enabled %}
# Forward any traffic from the WireGuard VPN network
-A FORWARD -m conntrack --ctstate NEW -s {{ wireguard_network_ipv4 }} -m policy --pol none --dir in -j ACCEPT
{% endif %}

COMMIT
